Digital signature generation apparatus, digital signature verification apparatus, and key generation apparatus

ABSTRACT

A digital signature generation apparatus includes memory to store finite field F q  and section D(u x (s, t), u y (s, t), s, t) as secret key, section being one of surfaces of three-dimensional manifold A(x, y, s, t) which is expressed by x-coordinate, y-coordinate, parameter s, and parameter t and is defined on finite field Fq, x-coordinate and y-coordinate of section being expressed by functions of parameter s and parameter t, calculates hash value of message m, generates hash value polynomial by embedding hash value in 1-variable polynomial h(t) defined on finite field F q , and generates digital signature D s (U x (t), U y (t), t) which is curve on section, the x-coordinate and y-coordinate of curve being expressed by functions of parameter t, by substituting hash value polynomial in parameter s of section.

CROSS-REFERENCE TO RELATED APPLICATIONS

This application is based upon and claims the benefit of priority from prior Japanese Patent Application No. 2005-214994, filed Jul. 25, 2005, the entire contents of which are incorporated herein by reference.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The invention relates to a digital signature generation apparatus, digital signature verification apparatus, and key generation apparatus, which exploit a common-key cryptosystem technique.

2. Description of the Related Art

In the present-day network society in which people communicate by exchanging lots of information such as e-mail messages and the like on networks, cryptosystem techniques are prevalently used as means for retaining information security and authenticity.

The cryptosystem techniques can be roughly classified into a common-key cryptosystem technique and public-key cryptosystem technique. The common-key cryptosystem technique is a cryptosystem based on a data stirring algorithm, can make high-speed encryption and decryption, and allows only two parties having a common key to make secret communications and authentication communications. The public-key cryptosystem technique is a cryptosystem based on a mathematical algorithm, and does not require prior key sharing although its encryption and decryption speeds are not higher than the common-key cryptosystem technique. The public-key cryptosystem technique is characterized in that a secret communication is implemented using a public key published by a sending partner, and an authentication communication can be made by applying a digital signature (by preventing spoofing) using a secret key of the sender.

For this reason, the digital signature based on the common-key cryptosystem technique is used as authentication means when high-speed processing is required between partners or devices or when one of a signature generation apparatus and a signature verification apparatus has lower performance in an environment in which a secret key can be shared. The digital signature based on the public-key cryptosystem technique is used when a secret key cannot be shared in online shopping sites and online sites of banks and securities companies doing business on the Internet or when the computation performances of both the signature generation apparatus and signature verification apparatus are high even in an environment in which a secret key can be shared.

As the typical public-key cryptosystem technique, RSA and elliptic curve cryptosystems are known, and digital signature schemes based on these techniques have been proposed. In the RSA cryptosystem, the difficulty of the prime factorization problem is the grounds for its security, and modulo exponentiation calculations are used as signature generation calculations and signature verification calculations. In the elliptic curve cryptosystem, the difficulty of the discrete logarithm problem on an elliptic curve is the grounds for its security, and point calculations on the elliptic curve are used as signature generation calculations and signature verification calculations. With these public-key cryptosystem techniques, a cryptanalysis (signature forgery method) associated with a specific key (public key) has been proposed, but a general cryptanalysis (signature forgery method) is unknown. Hence, serious security problems have not been found yet except for a cryptanalysis using a quantum computer (to be described later).

As another digital signature scheme based on the public-key cryptosystem, a scheme called SFLASH based on the multivariate cryptosystem which sets a problem of solving simultaneous equations formed using an extended theory of fields as the grounds for its security is known. However, prevailing attack methods against the multivariate cryptosystem are known, and a required key size must be increased to avoid that cryptanalysis. Hence, the practicality of this scheme is beginning to be viewed with suspicion.

Meanwhile, even the RSA and elliptic curve cryptosystems which are prevalently used in digital signature now are exposed to risk of decipher if a quantum computer appears. The quantum computer is a computer which can make massive parallel computations using a physical phenomenon called entanglement (based on a principle different from the current computers). To date, the quantum computer is a virtual computer whose operation is confirmed merely on the experimental basis, but research and development toward implementation is being made. Shor demonstrated in 1994 that algorithms which can efficiently solve the prime factorization and discrete logarithm problems using this quantum computer can be configured (P. W. Shor: “Algorithms for Quantum Computation: Discrete Log and Factoring”, Proceedings of the 35th Annual IEEE Symposium on Foundations of Computer Science, 1994).

That is, if the quantum computer is implemented, the RSA cryptosystem based on the prime factorization and the elliptic curve cryptosystem based on the discrete logarithm problem (on the elliptic curve) can be decrypted.

Under such circumstances, studies about digital signature based on the public-key cryptosystem which is still secure after implementation of the quantum computer have been made in recent years. As a scheme which can be implemented at present and whose cryptanalysis is difficult even by the quantum computer, a scheme called SFLASH based on the multivariate cryptosystem is known. However, as described above, since the multivariate cryptosystem requires a huge key size to warrant security for existing computers, its practicality is doubtful.

Furthermore, the public-key cryptosystem requires a larger circuit scale and longer processing time than the common-key cryptosystem. Hence, the public-key cryptosystem cannot be implemented in a low-power environment such as mobile terminals and the like, or a long processing time is required if it can be implemented. For this reason, a public-key cryptosystem which can be implemented even in a low-power environment is demanded.

In general, a digital signature based on the public-key cryptosystem is configured to find out a problem (such as the prime factorization problem, discrete logarithm problem, and the like) which is hard to calculate and to make generation of a digital signature on a message called plaintext (without knowing any secret key) equivalent to solution of the problem which is hard to calculate in terms of a computation volume. However, even if such problem which is hard to calculate is found, a digital signature which sets that problem as the grounds for its security cannot always be configured. If the problem which is too hard to calculate is set as the grounds for security, a problem of generation of a key becomes hard, resulting in a difficult configuration. On the other hand, if an easy problem is used to allow key generation, a digital signature is easily forged.

Therefore, creativity that can reconfigure a problem having a fine balance, i.e., a problem which is easy enough to generate a key but is not easy enough to decrypt (without knowing any generated secret key) is required. Owing to this difficulty, digital signatures based on not many public-key cryptosystems have been proposed.

In this way, conventionally, there is no digital signature system (a system for generating a key, generating a digital signature, and verifying the signature) based on the public-key cryptosystem, which can warrant security even after the advent of the quantum computer, can be securely implemented even by existing computers, and has feasibility in a low-power environment.

BRIEF SUMMARY OF THE INVENTION

According to embodiments of the present invention, A digital signature generation apparatus includes a memory to store (1) a finite field F_(q) and (2) a section D(u_(x)(s, t), u_(y)(s, t), s, t) as a secret key, the section being one of surfaces of a three-dimensional manifold A(x, y, s, t) which is expressed by an x-coordinate, a y-coordinate, a parameter s, and a parameter t and is defined on the finite field Fq, the x-coordinate and y-coordinate of the section being expressed by functions of the parameter s and the parameter t; calculates a hash value of a message m; generates a hash value polynomial by embedding the hash value in a 1-variable polynomial h(t) defined on the finite field F_(q); and generates a digital signature D_(s)(U_(x)(t), U_(y)(t), t) which is a curve on the section, the x-coordinate and y-coordinate of the curve being expressed by functions of the parameter t, by substituting the hash value polynomial in the parameter s of the section.

BRIEF DESCRIPTION OF THE SEVERAL VIEWS OF THE DRAWING

FIG. 1 is a view for explaining the fiberation and algebraic surfaces of a three-dimensional manifold;

FIG. 2 is a block diagram showing an example of the arrangement of a key generation apparatus;

FIG. 3 is a flowchart for explaining the processing operation of the key generation apparatus shown in FIG. 2;

FIG. 4 is a block diagram showing an example of the arrangement of a digital signature generation apparatus;

FIG. 5 is a flowchart for explaining the processing operation of the digital signature generation apparatus shown in FIG. 4;

FIG. 6 is a block diagram showing an example of the arrangement of a digital signature verification apparatus;

FIG. 7 is a flowchart for explaining the processing operation of the digital signature verification apparatus shown in FIG. 6;

FIG. 8 is a block diagram showing another example of the arrangement of a key generation apparatus;

FIG. 9 is a flowchart for explaining the processing operation of the key generation apparatus shown in FIG. 8;

FIG. 10 is a block diagram showing another example of the arrangement of the key generation apparatus shown in FIG. 2;

FIG. 11 is a block diagram showing another example of the arrangement of the digital signature generation apparatus shown in FIG. 4;

FIG. 12 is a block diagram showing another example of the arrangement of the digital signature verification apparatus shown in FIG. 6; and

FIG. 13 is a block diagram showing another example of the arrangement of the key generation apparatus shown in FIG. 8.

DETAILED DESCRIPTION OF THE INVENTION

Preferred embodiments of the invention will be described hereinafter with reference to the accompanying drawings.

An overview of this embodiment will be explained first.

(Overview)

In this embodiment, a three-dimensional (3D) manifold is defined as the one having degrees of freedom of three dimensions of a set of solutions of simultaneous (algebraic) equations defined on a field K. For example, since simultaneous equations given by:

$\begin{matrix} \left\{ \begin{matrix} {{f_{1}\left( {x,y,z,u,v,w} \right)} = 0} \\ {{f_{2}\left( {x,y,z,u,v,w} \right)} = 0} \\ {{f_{3}\left( {x,y,z,u,v,w} \right)} = 0} \end{matrix} \right. & (1) \end{matrix}$

include three equations that apply constraints to six variables, they have degrees of freedom of the three dimensions, and define a 3D manifold.

Especially, a space which is given by:

f(x,y,z,u)=0  (2)

and is defined as a set of solutions of a 4-variable algebraic equation defined on K is also a 3D manifold on K.

Note that definition equations of the 3D manifolds given by equations (1) and equation (2) are those on an affine space, and that on a projective space (in case of equation (2)) is given by:

f(x,y,z,u,v)=0

Since this embodiment does not handle the 3D manifold on the projective space, the definition equation is given by equations (1) or equation (2). However, even when the 3D manifold is expressed on the projective space, this embodiment is achieved intact. On the other hand, an algebraic surface has degrees of freedom of two dimensions of a set of solutions of simultaneous (algebraic) equations defined on the field K. Therefore the algebraic surface is defined, e.g., by:

g(x,y,z)=0

Since this embodiment handles only a 3D manifold given by only one equation like equation (2), equation (2) will be handled as a definition equation of the 3D manifold.

A “field” is a set that freely allows addition, subtraction, multiplication, and division, and real number, rational number, and complex number correspond to this. For example, a set such as integer number, a matrix, or the like which includes elements that are indivisible except for “0” is not a field. Of fields, a field called a finite field including a finite number of elements is known. For example, a coset Z/pZ which has p as a modulus with respect to a prime number p forms a field. Such field is called a prime field, and is expressed by F_(p). The finite field also includes a field F_(q) (q=p^(r)) having elements the number of which is a power of prime. However, this embodiment mainly handles only the prime field F_(p) for the sake of simplicity. In general, p of the prime field F_(p) is called a characteristic of the prime field F_(p). On the other hand, this embodiment is similarly achieved for a general finite field by applying a trivial modification.

The public-key cryptosystem is normally configured on a finite field because a message must be embedded as digital data. This embodiment also handles a 3D manifold defined on the finite field (especially, prime field in this embodiment) F_(p).

In a 3D manifold A: f(x, y, z, u)=0, a plurality of algebraic surfaces normally exist, as shown in FIG. 1. Such algebraic surfaces are called divisors on the 3D manifold. In general, a problem for seeking (nontrivial) divisors when the definition equation of the 3D manifold is given is also a difficult problem which remains unsolved in the modern mathematics, and no general solving method is known except for a method using a multivariate equation to be described later.

Especially, in the 3D manifold defined on the finite field to be handled by this embodiment, there are a few clues compared with that defined on an infinite field (a field including an infinite number of elements) such as a rational number field or the like, and such problem is known as a more difficult problem. Furthermore, multivariate equations which appear to seek divisors have more varieties than those which appear upon breaking a multivariate cryptosystem, and solving methods proposed for the multivariate cryptosystem are generally not achieved.

This embodiment calls this problem as a divisor finding problem on the 3D manifold or simply as a divisor finding problem, and forms a public-key cryptosystem which sets the divisor finding problem on the 3D manifold as the grounds for security.

In definition equation f(x, y, z, u)=0 of the 3D manifold A expressed by an x-coordinate, y-coordinate, z-coordinate, and parameter u, variables z and u are replaced by parameters s and t to obtain:

g _(s,t)(x,y):=f(x,y,s,t)

This equation is considered as a polynomial having elements of a 2-variable algebraic function field K(s, t) on the field K as coefficients. If g_(s,t)(x, y)=0 defines an algebraic curve on K(s, t), we define that the 3D manifold A has a fiberation on an affine plane P² having s and t as parameters. Mapping A→P² obtained by setting (x, y, s, t) in correspondence with (s, t) is called the fiberation on the affine plane P² of the 3D manifold A.

A curve g_(s0,t0)(x, y)=0 obtained by fixing a point (s, t) on the affine plane P² to one point (s₀, t₀) (s₀ and t₀ are elements of the field K) is called a fiber on the point (s₀, t₀), and is represented by A_(s0,t0).

The 3D manifold having the fiberation on the affine plane P² often includes algebraic surfaces on the 3D manifold A, which are parameterized by s and t, are called “sections”, and can be expressed by:

(x,y,s,t)=(u _(x)(s,t),u _(y)(s,t),s,t)

Some fiberations have no sections, but f(x, y, z, u) having sections can be easily configured.

On the other hand, as described above, definition equation f(x, y, z, u)=0 of the 3D manifold A can be considered on, e.g., a 1-variable algebraic function field K(t) in place of the 2-variable algebraic function field K(s, t). In this case, if we have:

h _(t)(x,y,s):=f(x,y,s,t)

h_(t)(x, y, s)=0 defines an algebraic surface on the 1-variable algebraic function field K(t) for respective values of t. At this time, we define that A has a fiberation on an affine line P¹ having t as a parameter, and mapping A→P¹ obtained by setting (x, y, s, t) in correspondence with (t) is called a fiberation on the affine line P¹ of the 3D manifold A.

A curved surface obtained when a point t on the affine line P¹ is fixed to one point t₀:

h _(t0)(x,y,s)=0

is called a fiber on the point t₀, and is represented by A_(t0).

A section in the 3D manifold having the fiberation on the affine line P¹ can be expressed by:

(x,y,s,t)=(u _(x)(t),u _(y)(t),u _(s)(t),t)

and corresponds to an algebraic curve parameterized by t on the 3D manifold A.

The section is a divisor of the 3D manifold. In general, if the fiberation of a 3D manifold is given, a corresponding fiber can be immediately obtained (by substituting elements of the field in s and t), but it is very difficult to obtain a corresponding section.

The digital signature to be described in this embodiment is the one which sets a problem for obtaining a section as the grounds for security of the divisor finding problem on the 3D manifold especially when the fiberation of the 3D manifold A is given.

Note that since this embodiment mainly handles the fiberation on the affine plane P², such fiberation will be simply referred to as a fiberation if it is apparent that the fiberation is that on the affine plane P² for the sake of simplicity. In this case, definition equation f(x, y, z, u)=0 of the 3D manifold having the fiberation will also be referred to simply as the fiberation.

In order to obtain the section from the fiberation, even in the modern mathematics, the following method alone is known. That is, assuming a section

(u_(x) (s, t), u_(y) (s, t), s, t) is:

deg_(s) u _(x)(s,t)<r _(sx),deg_(t) u _(x)(s,t)<r _(tx)

deg_(s) u _(y)(s,t)<r _(sy),deg_(t) u _(y)(s,t)<r _(ty)

(where deg_(s)u_(x)(s, t) is the degree when only s is used as a variable in u_(x)(s, t)) given:

u _(x)(s,t)=α₀+α₁ t+α ₂ s+α ₃ st+ . . . +α _(r) _(sx) _(r) _(tx) ⁻¹ s ^(r) ^(sx) ⁻¹ t ^(r) ^(tx) ⁻¹

u _(y)(s,t)=β₀+β₁ t+β ₂ s+β ₃ st+ . . . +β _(r) _(sy) _(r) _(ty) ⁻¹ s ^(r) ^(sy) ⁻¹ t ^(r) ^(ty) ⁻¹

substituting these equations in A(x, y, s, t)=0 yields:

${A\left( {{u_{x}\left( {s,t} \right)},{u_{y}\left( {s,t} \right)},s,t} \right)} = {{\sum\limits_{i}{c_{i,j}s^{i}t^{j}}} = 0}$

and expanding the left-hand side of this equation to express the coefficient of s^(i)t^(j) by a function c_(i,j)(α0, . . . , αr_(sx)r_(tx-1), β0, . . . , Br_(sy)r_(ty-1)) of α0, . . . , αr_(sx)r_(tx-1), β0, . . . , Br_(sy)r_(ty-1) sets and solves simultaneous equations:

$\left\{ {\begin{matrix} {{c_{0,0}\left( {\alpha_{0},\ldots \mspace{14mu},\alpha_{{r_{sx}r_{tx}} - 1},\beta_{0},\ldots \mspace{14mu},\beta_{{r_{sy}r_{ty}} - 1}} \right)} = 0} \\ {{c_{0,1}\left( {\alpha_{0},\ldots \mspace{14mu},\alpha_{{r_{sx}r_{tx}} - 1},\beta_{0},\ldots \mspace{14mu},\beta_{{r_{sy}r_{ty}} - 1}} \right)} = 0} \\ \vdots \\ {{c_{1,k}\left( {\alpha_{0},\ldots \mspace{14mu},\alpha_{{r_{sx}r_{tx}} - 1},\beta_{0},\ldots \mspace{14mu},\beta_{{r_{sy}r_{ty}} - 1}} \right)} = 0} \end{matrix}\quad} \right.$

That is, the public-key cryptosystem of the invention amounts to solving a problem of simultaneous equations as in the multivariate cryptosystem described in the prior art. However, the multivariate cryptosystem amounts to solving a problem of multivariate equations within a very limited range depending on the theory of a finite field extension (interpreted well in the modern mathematics), while the 3D manifold cryptosystem depends on the divisor finding problem as an unsolved problem on the mathematics. Thus, the difficulty levels of the problems in the two cryptosystems are considerably different.

The detailed configuration of the digital signature based on the divisor finding problem on the 3D manifold will be described below. Note that the 3D manifold defined on F_(p) will be examined below. For this reason, all calculations are made on F_(p).

First Embodiment

A public key used in the digital signature according to this embodiment is defined by the fiberation: A(x, y, s, t)=0 of a 3D manifold X on F_(p).

A secret key is defined by each of n sections Di: (x, y, s, t)=(u_(x,i)(s, t), u_(y,i)(s, t), s, t) of the 3D manifold A on F_(p).

These keys can be easily obtained by a key generation method to be described later.

(1) Signature Generation Processing

An overview of the signature generation processing will be described below. In the signature generation processing, a message (to be referred to as plaintext hereinafter) to be generated as a signature is converted into an integer m. As the conversion method, it is a common practice to convert the message into a code using a code system such as JIS code or the like, and to read that code as an integer.

Next, a hash value h(m) is calculated from the converted integer m by using a hash function h(x). Since the hash value h(m) generally has 120 bits to 160 bits, it is divided into a plurality of blocks h₀, h₁, . . . , h_(r-1) like:

h(m)=h ₀ ∥h ₁ ∥ . . . ∥h _(r-1)

and these blocks are embedded into coefficients of a 1-variable polynomial for a variable t:

h(t)=h _(r-1) t ^(r-1) + . . . +h ₁ t+h ₀

This is called hash value embedding processing hereinafter. The 1-variable polynomial embedded with the hash value is called a hash value polynomial h(t). In order to define h(t) as a polynomial on F_(p), each h_(i) (0≦i≦r−1) must be set to be an element of F_(p). That is, the hash value is divided based on the bit length of p to satisfy:

0≦h _(i) ≦p−1

One of n sections Di as the secret keys is randomly selected. The hash value polynomial h(t) is substituted in the variable s of the selected section:

Di:(w _(x)(s,t),w _(y)(s,t),s,t)

That is,

(w _(x)(h(t),t),w _(y)(h(t),t),h(t),t)

By arranging this, we have:

D _(s):(x,y,t)=(W _(x)(t),W _(y)(t),t)  (3)

This is sent as a digital signature D_(s) for the message m to the recipient together with the message m.

As can be seen from the above description, the digital signature D_(s) given by equation (3) is a curve on the section Di used as the secret key.

In terms of security, the degrees of W_(x)(t) and W_(y)(t) are preferably constant irrespective of the selected section. This can be achieved if u_(x,i)(s, t) includes the term of s^(hx)t^(kx) for all “i”s if:

h _(x)=max{deg_(s) u _(x,i)(s,t)|1≦i≦n}k _(x)=max{deg_(t) u _(x,i)(s,t)|1≦i≦n}

for a polynomial u_(x,i)(s, t) which appears in the section. This is because even when the hash value polynomial h(t) is substituted in s of any section, the term of the maximum degree of the obtained polynomial W_(x)(t) is generated from the polynomial obtained by substituting h(t) in the term of s^(hx)t^(kx).

As for u_(y,i)(s, t), the degree of W_(y)(t) can be maintained constant irrespective of i by the same means. A method of generating such keys (sections and corresponding 3D manifold) will be described later.

(2) Signature Verification Processing

The recipient who received the digital signature D_(s)(x, y, t) executes the following signature verification processing using his or her public key A(x, y, s, t) defined on the finite field F_(p).

As in the aforementioned signature generation processing, a message (to be referred to as plaintext hereinafter) is converted into an integer m. The conversion method is the same as that in the signature generation processing. By using the same hash function h(x) as in the aforementioned signature generation processing, a hash value h(m) is calculated from the converted integer m. Furthermore, as in the aforementioned signature generation processing, the hash value is divided into a plurality of blocks h₀, h₁, . . . , h_(r-1) like:

h(m)=h ₀ ∥h ₁ ∥ . . . ∥h _(r-1)

and these blocks are embedded into coefficients of a 1-variable polynomial for a variable t:

h(t)=h _(r-1) t ^(r-1) + . . . +h ₁ t+h ₀

defined on the finite field F_(p), thus generating a hash value polynomial h(t) embedded with the hash value.

The generated hash value polynomial h(t) is substituted in a variable s of the 3D manifold A(x, y, s, t) as the public key to generate an algebraic surface:

X(x,y,t)=A(x,y,h(t),t)

This X(x, y, t) is also an algebraic surface having the fiberation.

Next, the digital signature expressed by equation (3) (received by the receiving side) is substituted in the obtained algebraic surface X. If the value becomes “0”, it means that the digital signature is correct; otherwise, it means that the digital signature is incorrect.

This is because in the aforementioned digital signature generation processing, s=h(t) is substituted in the section Di randomly selected from those given as the secret keys. This corresponds to the section of the algebraic surface X(x, y, t) obtained by substituting s=h(t) in the 3D manifold A(x, y, s, t) in the aforementioned digital signature verification processing. Therefore, when the substituting operation like in the aforementioned digital signature verification processing is done, the value becomes “0”.

Furthermore, as is known, obtaining the section of the algebraic surface obtained by substituting s=h(t) is difficult as in the 3D manifold, and amounts to solving a problem of multivariate equations. Hence, as will be described in the paragraphs of security signature (to be described later), presenting of the section of an algebraic surface corresponding to the message by a third party who does not know the section of the 3D manifold amounts to a problem for obtaining the section of that algebraic surface. For this reason, it is impossible to execute such processing (in terms of the computation volume). This is the grounds for the digital signature of the invention being secure.

(3) Key Generation Method

The key generation method will be described below. Key generation of this embodiment is implemented by randomly selecting a section D1 or D2 and calculating a fiberation corresponding to the selected section. However, since the generated 3D manifold must have the two sections at the same time, the following device is required.

For the sake of simplicity, the key generation method will be described taking as an example a 3D manifold having the following fiberation of 3D manifolds:

E _(t):y² =x ³ +a(s,t)x+b(s,t)

where a(s, t) and b(s, t) are 2-variable polynomials. Initially, a characteristic p of a prime field is determined. At this time, security is not a problem if p is small. Sections D1 and D2 are given by:

D ₁:(x,y,s,t)=(u _(x)(s,t),u _(y)(s,t),s,t),D ₂:(x,y,s,t)=(v _(x)(s,t),v _(y)(s,t),s,t)

and are substituted in the 3D manifold A to obtain

u _(y)(s,t)² =u _(x)(s,t)³ +a(s,t)u _(x)(s,t)+b(s,t)

v _(y)(s,t)² =v _(x)(s,t)³ +a(s,t)v _(x)(s,t)+b(s,t)

When the corresponding sides of these equations are subtracted from each other, b(s, t) disappears to yield:

u _(y)(s,t)² −v _(y)(s,t)²−(u _(x)(s,t)³ −v _(x)(s,t)³)=a(s,t)(u _(x)(s,t)−v _(x)(s,t))

In order to define a(s, t) as a 2-variable polynomial, for example, it is sufficient if:

u _(x)(s,t)−v _(x)(s,t)|u _(y)(s,t)−v _(y)(s,t)

By utilizing this fact, key generation can be done by an algorithm to be described below.

Note that k₁(s, t)|k₂(s, t) means that a polynomial k₂(s, t) is divisible by a polynomial k₁(s, t).

Two polynomials which meet λ_(x)(s, t)|λ_(y)(s, t) are randomly selected. More specifically, in order to obtain a pair of such polynomials, for example, λ_(x)(s, t) is randomly given, and λ_(y)(s, t)=c(s, t)λ_(x)(s, t) is calculated by using a random polynomial c(s, t) to obtain λ_(y)(s, t).

Next, a polynomial v_(x)(s, t) is randomly selected, and u_(x)(s, t) is calculated by:

u _(x)(s,t)−v _(x)(s,t)=λ_(x)(s,t)

Likewise, a polynomial v_(y)(s, t) is randomly selected, and u_(y)(s, t) is calculated by:

u _(y)(s,t)−v _(y)(s,t)=λ_(y)(s,t)

By utilizing u_(x)(s, t), v_(x)(s, t), u_(y)(s, t), and v_(y)(s, t) calculated in this way, a polynomial a(s, t) can be calculated by calculating:

a(s,t)=(u _(y)(s,t)² −v _(y)(s,t)²−(u _(x)(s,t)³ −v _(x)(s,t)³))/(u _(x)(s,t)−v _(x)(s,t))  (4)

Furthermore, by utilizing the above a(s, t), b(s, t) can be obtained by:

b(s,t)=u _(y)(s,t)² −u _(x)(s,t)³ −a(s,t)u _(x)(s,t)  (5)

The aforementioned key generation method is not limited to the aforementioned example since it can be similarly implemented using a 3D manifold other than that described above as long as a definition equation is assumed in the form of:

y ² =x ⁵ +a(s,t)x+b(s,t)

On the other hand, the aforementioned key generation method cannot generate algebraic surfaces having three or more sections. Also, it is difficult to generate a public key which can set the degree of W_(x)(t) and W_(y)(t) which appear in the digital signature:

D _(s):(x,y,t)=(W _(x)(t),W _(y)(t),t)

described as the desired conditions in terms of security to be constant irrespective of the selected section. As a key generation method which can solve both these drawbacks, a second key generation method to be described below may be used.

The term s^(hx)t^(kx) of the maximum degree of u_(x,i)(s, t) is determined, and n 2-variable polynomials u_(x,i)(s, t) are defined so that the maximum degree of s is hx, and that of t is kx. Likewise, the term s^(hy)t^(ky) of the maximum degree of u_(y,i)(s, t) is determined, and n 2-variable polynomials u_(y,i)(s, t) are defined so that the maximum degree of s is hy, and that of t is ky.

Next, factors (x−u_(x,i)(s, t)) and (y−u_(y,i)(s, t)) are generated from these polynomials, and two factors (x−u_(x,i)(s, t)) and (y−u_(y,i)(s, t)) whose i has the same value are distributed to the left-hand side and right-hand side for respective “i”s (1≦i≦n). Then, the product of the n factors distributed to the left-hand side and that of the n factors distributed to the right-hand side are coupled by an equal sign to obtain:

$\begin{matrix} {{\left( {x - {u_{x,1}\left( {s,t} \right)}} \right)\left( {x - {u_{x,2}\left( {s,t} \right)}} \right)\mspace{14mu} \ldots \mspace{14mu} \left( {x - {u_{x,n}\left( {s,t} \right)}} \right)} = {\left( {y - {u_{y,1}\left( {s,t} \right)}} \right)\left( {y - {u_{y,2}\left( {s,t} \right)}} \right)\mspace{14mu} \ldots \mspace{14mu} \left( {y - {u_{y,n}\left( {s,t} \right)}} \right)}} & (6) \end{matrix}$

Equation (6) satisfies the above conditions. For example, Di: (u_(x,i)(s, t), u_(y,i)(s, t), s, t) becomes sections.

Furthermore, if h(t) is substituted in these sections, digital signatures D_(s): (W_(x)(t), W_(y)(t), t) with the same degree are generated due to their generation method. In practice, if equation (6) is used as it is, since sections are found soon, it is expanded to obtain a 3D manifold as the public key.

On the other hand, since the factors of x and those of y are respectively distributed to the right-hand side and left-hand side in equation (6), sections are often readily obtained by factorization. Hence, it is desired to generate a 3D manifold as the public key to randomly, distribute the factors of x and those of y to both the sides like:

(x − u_(x, 1)(s, t))(y − u_(y, 2)(s, t))  …  (x − u_(x, n)(s, t)) = (y − u_(y, 1)(s, t))(x − u_(x, 2)(s, t))  …  (y − u_(y, n)(s, t))

By generating the public key and secret key, a highly secure 3D manifold having n or more sections can be generated. Certain degree of freedom can be provided to the generation method of u_(x,i)(s, t) and u_(y,i)(s, t) if the above-mentioned security concern is taken care of.

(4) Proof of Security

Security proof of the aforementioned digital signature will be explained below. The security of the digital signature can be proved by proving that it is possible to solve a problem for obtaining the sections of the 3D manifold in a polynomial time if the problem for generating a pair of a message (plaintext) and digital signature can be solved in the polynomial time, and by conversely proving that it is possible to generate the pair of the message (plaintext) and digital signature if the problem of obtaining the sections of the 3D manifold can be solved in the polynomial time. That is, by theoretically proving the above facts, it is proved that the possibility of generation of the pair of the message (plaintext) and digital signature (possibility of substantive forgery) is equivalent to the possibility of solution of the problem for obtaining the sections of the 3D manifold. Then, if the problem for obtaining the sections of the 3D manifold as the grounds for security is difficult, it is proved that it is impossible to make substantive forgery of the digital signature. The security proof according to the above policy will be described below.

Define that if a two-dimensional (2D) section D is described by D=(d_(x)(s, t), d_(y)(s, t), s, t), the degree of the 2D section is the maximum value of the degrees of d_(x)(s, t) and d_(y)(s, t), i.e., max{deg(d_(x)(s, t)), deg(d_(y)(s, t))}.

[Theorem 1] The fact that it is difficult to calculate the problem for obtaining the sections of the 3D manifold defined on the finite field F_(p) having sections of degree n is equivalent to the fact that the digital signature of the invention is secure since it is impossible to make substantive forgery.

[Proof 1] Assume that algorithm α that can calculate a practical pair of plaintext and signature by the digital signature of this embodiment within the polynomial time exists. At this time, it will be proved that a polynomial time algorithm which obtains the 2D section of the 3D manifold using this algorithm α exists.

Let A(x, y, s, t) be a 3D manifold the 2D section of which is to be obtained. Next, a digital signature scheme which uses A(x, y, s, t) as a public key is considered, and pairs of plaintexts and signatures are generated as many as the number of polynomials. Assume that a hash value polynomial for plaintext m_(i) is h_(i)(t), and its signature is given by:

D _(s) ^((i))=(f _(i)(h _(i)(t),t),g _(i)(h _(i)(t),t),t)  (7)

where f_(i)(s, t) and g_(i)(s, t) respectively correspond to the x- and y-coordinates of the section of the 3D manifold A, and only a finite number of values exist. Therefore, when a predetermined number or more of signatures are collected, all of f_(i)(s, t) and g_(i)(s, t) are not different, and some of them are identical. Which of f_(i)(s, t) and g_(i)(s, t) are identical can be determined by the following method.

A 3D manifold B(x, y, s, t) (=A(x, y, t, s)) will be examined below. This B(x, y, s, t) is obtained by exchanging s and t of the 3D manifold A(x, y, t, s), and has sections of degree n based on the definition of the degree of sections. Then, algorithm α is applied to generate a pair of plaintext and signature. In this case, especially, if the signature which is generated when the plaintext whose hash value polynomial h_(i)(s) is a constant h_(i)(s)=h₀ is selected is given by:

D _(s):(x,y,s)=(ζ(h ₀ ,s),η(h ₀ ,s),s).

D:(x,y,s,t)=(ζ(s,h₀),η(s,h₀),s,h₀) gives one one-dimensional (1D) cycle of A(x, y, s, t) parameterized by s. Note that the cycle means a partial manifold, and especially, the 1D cycle is a 1D partial manifold. By utilizing this cycle D, of the 1D cycles given by:

D _(s) ^((i))=(x,y,s,t)=(f _(i)(h _(i)(t),t),g _(i)(h _(i)(t),t),h _(i)(t),t)

the cycles which exist on the same section of X are found by the following polynomial algorithm.

If (s, t)=(h_(i)(h₀), h₀), a point ζ(h_(i)(h₀), η(h_(i)(h₀), h₀), h_(i)(h₀), h₀) on D and a point (f_(i)(h_(i)(h₀), h₀), g_(i)(h_(i)(h₀), h_(i)(h₀), h₀) on D_(s) ^((i)) are determined. Note that the section of X is isomorphic to a plane having (s, t) as coordinates. Then, if these points satisfy:

(ζ(h _(i)(h ₀),h ₀),η(h _(i)(h ₀),h ₀))=(f _(i)(h _(i)(h ₀),h ₀),g _(i)(h _(i)(h ₀),h ₀))

D_(s) ^((i)) and D exist on the same section; otherwise D_(s) ^((i)) and D do not exist on the same section. A 1D cycle group included in the same section is given by:

D _(s) ^((k))=(w _(x)(h _(k)(t),t),w _(y)(h _(k)(t),t),t)(0≦j≦1)  (8)

If a section (w_(x)(s, t), w_(y) (s, t), s, t) of the 3D manifold A(x, y, s, t) is described by:

${{w_{x}\left( {s,t} \right)} = {\sum\limits_{i,j}{a_{ij}s^{i}t^{j}}}},{{w_{y}\left( {s,t} \right)} = {\sum\limits_{k,1}{b_{k\; 1}s^{k}t^{1}}}}$

the 1D cycle given by equation (8) is substituted to obtain:

${w_{x}\left( {{h_{k}(t)},t} \right)} = {\sum\limits_{i,j}{a_{ij}{h_{k}^{i}(t)}t^{j}}}$

By comparing coefficients of both the sides for each power of t, simultaneous linear equations of a_(ij) are obtained. Since the simultaneous linear equations have a solving method in the polynomial time, all a_(ij) values are obtained in the polynomial time. Likewise, since b_(ij) values are calculated in the polynomial time, it is proved that the sections of the 3D manifold A(x, y, s, t) can be obtained in the polynomial time.

Conversely, assume that polynomial time algorithm β which obtains the 2D sections of the 3D manifold exists. At this time, it will be proved that a practical pair of plaintext and signature by the digital signature of this embodiment can be calculated using this algorithm β in the polynomial time.

If the 3D manifold A(x, y, s, t) as a public key of the digital signature of this embodiment is given, its 2D section:

D:(w _(x)(s,t),w _(y)(s,t),s,t)

is calculated using algorithm β. When plaintext m is appropriately determined, and its hash value polynomial is h(t), s=h(t) is set to obtain a signature:

D _(s):(w _(x)(h(t),t),w _(y)(h(t),t),t)

In this manner, a practical pair of plaintext and signature can be calculated within the polynomial time. As described above, the theorem has been proved.

(5) Variations

Variations of this embodiment will be described below. The first variation is the one which replaces a hash value polynomial by a hash value itself. In the digital signature generation processing of this embodiment, a hash value h(m) is calculated from plaintext m, is expanded to a hash value polynomial h(t), and is substituted as s=h(t) in randomly selected section D_(i).

However, an embodiment which does not embed any hash value in a hash value polynomial is also achievable. That is, the hash value h(m) itself is substituted in a section D_(i) as s=h(m) to generate a digital signature:

D _(s):(w _(x)(h(m),t),w _(y)(h(m),t),t)

In this case, in the digital signature verification processing, substitution of s=h(m) to the 3D manifold A(x, y, s, t) as the public key is made, thus allowing signature verification by the same means.

It can be understood that this variation can be achieved in practice if the hash value polynomial h(t) of this embodiment is considered as a polynomial including only constant terms. That is, this variation can be considered as a special case of this embodiment. By utilizing this variation, polynomial operations in the digital signature generation processing and digital signature verification processing can be lessened, thus reducing the computation memory size and computation processing time. However, at the same time, since the hash value requires 120 bits in minimum, the size of p of F_(p) as a definition field must be increased to as large as about 120 bits, and a weakness, i.e., requirement of multiple-precision calculation, is also provided, thus limiting the effective application range.

The second variation is the one associated with a change in variable in which the hash value polynomial is substituted in a digital signature generation apparatus and digital signature verification apparatus of this embodiment. In the digital signature generation apparatus and digital signature verification apparatus of this embodiment, a 1-variable polynomial for a variable t, i.e., h(t), is adopted as the hash value polynomial, and is substituted in a variable s of the section as the secret key or the 3D manifold as the public key. Even when the following change is adopted, the invention is similarly achieved while guaranteeing security as well.

That is, a 1-variable polynomial for a variable s, i.e., h(s), is adopted as the hash value polynomial, and is substituted in variable t of the section as the secret key or the 3D manifold as the public key. Since both variables s and tare parameters, the effect of this embodiment remains the same in this variation.

(6) Arrangement

Examples of the arrangements of a key generation apparatus, digital signature generation apparatus, and digital signature verification apparatus according to the digital signature scheme of this embodiment, and their processing operations will be described below.

FIG. 2 is a block diagram showing an example of the arrangement of the key generation apparatus, and FIG. 3 is a flowchart for explaining the processing operation of the key generation apparatus. The arrangement and processing operation of the key generation apparatus shown in FIG. 2 will be described below with reference to the flowchart shown in FIG. 3. Note that practical numerical values and equations are presented to help understand the invention. However, these numerical values and equations are merely an example to help understand the invention, and do not always match a digital signature (especially in terms of the degrees of polynomials and the like) which is used in practice and has sufficiently high security.

Note that the aforementioned 3D manifold having the fiberation given by y²=x³+a(s, t)x+b(s, t) will be taken as an example in the following description.

A key generation processing start command is sent from an external apparatus or the like to a control unit 1, and the key generation apparatus starts key generation processing (step S1). Upon reception of the command, the control unit 1 requests a prime number generation unit 2 to generate a prime number. In prime number generation, a prime number may be randomly generated. However, since a large prime number need not be used, a prime number may be selected from those of about 6 bits at most randomly or arbitrarily (by means of determining the output order in advance), or a prime number determined in advance in the key generation apparatus may be used. Assume that a prime number p=17 is generated in this case (step S2).

The control unit 1 outputs the prime number p to a section generation unit 5, which starts generation of sections. The section generation unit 5 outputs the prime number p to a polynomial generation unit 3, which generates a 2-variable polynomial λ_(x)(s, t) (=−s(t−1)) (step S3). The polynomial generation unit 3 randomly selects a degree within the predetermined range, and can generate coefficients of the 2-variable polynomial having that degree within the range from 0 to p−1 as elements of the finite field F_(p).

The polynomial generation unit 3 generates λ_(x)(s, t) and outputs it to the control unit 1. Upon reception of λ_(x)(s, t), the control unit 1 executes generation processing of a random 2-variable polynomial c(s, t) to obtain c(s, t) (=s+t) (step S4).

The control unit 1 outputs c(s, t) and λ_(x)(s, t) to a polynomial calculation unit 4.

The polynomial calculation unit 4 calculates λ_(y)(s, t)=c(s, t)λ_(x)(s, t) (step S5) and outputs λ_(y)(s, t) (=−(s+t)s(t−1)) to the control unit 1.

Upon reception of λ_(y)(s, t), the control unit 1 randomly generates a 2-variable polynomial v_(x)(s, t) (=2st) by the same method as in generation of λ_(x)(s, t) (step S6), and outputs λ_(x)(s, t) (=−s(t−1)) and v_(x)(s, t) (=2st) to the polynomial calculation unit 4.

The polynomial calculation unit 4 calculates u_(x)(s, t) (=λ_(x)(s, t)+v_(x)(s, t)=s(t+1)), and outputs it to the control unit 1 (step S7).

The control unit 1 generates v_(y)(s, t) (=2st²+s+s²t−s²−st) as in step S6 (step S8), and calculates u_(y) (=λ_(y)(s, t)+v_(y)(s, t)=s(t²+1)) (step S9).

The control unit 1 outputs u_(x)(s, t), u_(y)(s, t), v_(x)(s, t), and v_(y)(s, t) to a manifold generation unit 6.

The manifold generation unit 6 calculates a 2-variable polynomial a(s, t) for parameters s and t of the 3D manifold A(x, y, s, t): y²=x³+a(s, t)x+b(s, t) using equation (4) by repetitively using the polynomial calculation unit 4 (step S10).

In this example, the calculation result is:

a(s,t)=14s ² t ² +s ² +s ³ t+16s ³+11s ² t+3st ³+2st+16st ²

Furthermore, the manifold generation unit 6 calculates a 2-variable polynomial b(s, t) for parameters s and t from a(s, t), u_(x)(s, t), u_(y)(s, t), v_(x)(s, t), and v_(y)(s, t) using equation (5) by repetitively using the polynomial calculation unit 4 (step S11).

In this example, the calculation result is:

b(s, t) = 15s²t⁴ + s²t² + s² + 2s³t³ + 6s³t² + 2s³t + 15s³ + 16s⁴t² + s⁴ + 15s²t³ + 15s²t

The manifold generation unit 6 outputs the obtained a(s, t) and b(s, t) to the control unit 1.

The control unit 1 substitutes a(s, t) and b(s, t) obtained in steps S10 and S11 in the polynomial y²=x³+a(s, t)x+b(s, t) which represents the 3D manifold A(x, y, s, t), thus generating a polynomial of fiberation A(x, y, t) of the 3D manifold A as a public key, as indicated by equation (9).

Also, the control unit 1 generates section (x, y, s, t) having the 2-variable polynomial u_(x)(s, t) as the x-coordinate and the 2-variable polynomial u_(y)(s, t) as the y-coordinate, and section D2: (x, y, s, t) having the 2-variable polynomial v_(x)(s, t) as the x-coordinate and the 2-variable polynomial v_(y)(s, t) as the y-coordinate, as indicated by equations (10) (step S12).

$\begin{matrix} {{{{A\left( {x,y,s,t} \right)}\text{:}\mspace{14mu} y^{2}} - x^{3} - {\left( {{14s^{2}t^{2}} + s^{2} + {s^{3}t} + {16s^{3}} + {11s^{2}t} + {3{st}^{3}} + {2{st}} + {16{st}^{2}}} \right)x} - \left( {{15s^{2}t^{4}} + {s^{2}t^{2}} + s^{2} + {2s^{3}t^{3}} + {6s^{3}t^{2}} + {2s^{3}t} + {15s^{3}} + {16s^{4}t^{2}} + s^{4} + {15s^{2}t^{3}} + {15s^{2}t}} \right)} = 0} & (9) \\ {\mspace{79mu} {{{D_{1}\text{:}\mspace{14mu} \left( {{u_{x}\left( {s,t} \right)},{u_{y}\left( {s,t} \right)},s,t} \right)} = \left( {{s\left( {t + 1} \right)},{s\left( {t^{2} + 1} \right)},s,t} \right)}\mspace{79mu} {{D_{2}\text{:}\mspace{14mu} \left( {{v_{x}\left( {s,t} \right)},{v_{y}\left( {s,t} \right)},s,t} \right)} = \left( {{2{st}},{{2{st}^{2}} + s + {s^{2}t} - s^{2} - {st}},s,t} \right)}}} & (10) \end{matrix}$

The control unit 1 outputs the generated public key and secret key to a key output unit 7, which outputs the public key and secret key.

Note that the respective functions (control unit 1, prime number generation unit 2, polynomial generation unit 3, polynomial calculation unit 4, section generation unit 5, manifold generation unit 6, key output unit 7, and the like) shown in FIG. 2 can be implemented when a computer, which comprises a storing unit (for example a memory) 101 that stores various programs and the like, a calculation unit 100 such as a CPU or the like, an output unit 102, an input unit 103, a communication unit 104, and the like that are connected via a bus, executes programs stored in the memory 101, as shown in FIG. 10.

In FIG. 10, the memory 101 stores a key generation control program, prime number generation program, polynomial generation program, polynomial calculation program, section generation program, manifold generation program, and key output program which are used to implement the functions of the control unit 1, prime number generation unit 2, polynomial generation unit 3, polynomial calculation unit 4, section generation unit 5, manifold generation unit 6, and key output unit 7.

The secret key and public key output from the key output unit 7 in FIG. 2 are sent to a request source via, e.g., the communication unit 104, or are passed to a digital signature generation apparatus and digital signature verification apparatus (to be described later).

FIG. 4 is a block diagram showing an example of the arrangement of a digital signature generation apparatus, and FIG. 5 is a flowchart for explaining the processing operation of the digital signature generation apparatus shown in FIG. 4. The arrangement and processing operation of the digital signature generation apparatus shown in FIG. 4 will be described below with reference to the flowchart shown in FIG. 5.

The digital signature generation-apparatus shown in FIG. 4 acquires plaintext m from a plaintext input unit 11, and acquires section group Di (u_(x)(s, t), u_(y)(s, t), s, t) (0≦i≦n) as the secret key from a secret key input unit 14.

As the secret key,

1. the characteristic p=17 of the prime number 2. two sections, given by equations (10), of the 3D manifold A defined on the finite field F_(p) which are generated by the aforementioned key generation processing are used. Note that all calculations are made on a finite field F₁₇ determined by the key generation processing.

When the plaintext m is input from the plaintext input unit 11, digital signature generation processing starts (step S101). The input plaintext m is output to a hash value calculation unit 12, which calculates a hash value h(m) using a hash function such as SHA1, MD5, or the like (step S102). In this example, the hash value is “0×151” for the sake of simplicity, but it must actually have 120 bits or more. The calculated hash value is sent to a polynomial generation unit 13, and is divided into a plurality of predetermined blocks. In this example, since p=17, the hash value is divided into 4-bit blocks, and the respective blocks are embedded in the coefficients of a hash value polynomial h(t) (step S103). The hash value polynomial h(t) obtained as a result of this step is h(t)=t²+5t+1.

A secret key storing unit 18 stores at least one section as a secret key, which is generated by the key generation apparatus with the arrangement shown in FIG. 2 or FIG. 8 (to be described later).

The secret key input unit 14 reads out a section group as the secret keys from the secret key storing unit 18 and outputs it to a signature generation unit 15 (step S104). The secret key storing unit 18 preferably stores a plurality of sections. In this example, the secret key storing unit 18 stores two sections D1 and D2 given by equations (10), and the secret key input unit 14 reads out these two sections D1 and D2 from the secret key storing unit 18 and outputs them to the signature generation unit 15. These sections are output from the signature generation unit 15 to a section selection unit 16. The section selection unit 16 randomly selects one of the input sections (step S105). Assume that D1 is selected in this example. The selected section D1 is output to the signature generation unit 15. Note that when the secret key storing unit 18 stores only one secret key, the above processing of the section selection unit 16 is skipped.

Upon reception of the selected section D1, the signature generation unit 15 acquires the hash value polynomial h(t) generated in step S103 from the polynomial generation unit 13, and substitutes h(t) in the s-coordinate of the selected section D1 (s=h(t)), thereby generating section D_(s) (step S106).

In this case, a section D_(s) given by:

D _(s)(U _(x)(t),U _(y)(t),t)=(t ³+6t ²+6t+1,t ⁴+5t ³+2t ²+5t+1,t)  (11)

is generated in this example.

This section D_(s) is output from a signature output unit 17 as a digital signature (step S107).

The aforementioned first and second variations are achieved by the same processing in this embodiment. When the first variation is utilized, p must be set to have 120 bits or more under the present situation (in consideration of the size of the hash value).

Note that respective functions (plaintext input unit 11, hash value calculation unit 12, polynomial generation unit 13, secret key input unit 14, signature generation unit 15, section selection unit 16, signature output unit 17, and the like) shown in FIG. 4 can be implemented when a computer, which comprises a memory 101 that stores various programs and the like, a calculation unit 100 such as a CPU or the like, an output unit 102, an input unit 103, a communication unit 104, and the like that are connected via a bus, executes programs stored in the memory 101, as shown in FIG. 11.

In FIG. 11, the memory 101 stores a plaintext input program, hash value calculation program, polynomial generation program, secret key input program, signature generation program, section selection program, and signature output program which are respectively used to implement the functions of the plaintext input unit 11, hash value calculation unit 12, polynomial generation unit 13, secret key input unit 14, signature generation unit 15, section selector 16, and signature output unit 17. The memory 101 also serves as the secret key storing unit 18 that stores the secret key.

The message m input by the plaintext input unit 11 and the digital signature output from the signature output unit 17 are sent to, e.g., a partner terminal via the communication unit 104.

FIG. 6 is a block diagram showing an example of a digital signature verification apparatus, and FIG. 7 is a flowchart for explaining the processing operation of the digital signature verification apparatus shown in FIG. 6. The arrangement and processing operation of the digital signature verification apparatus shown in FIG. 6 will be described below with reference to the flowchart shown in FIG. 7.

The digital signature verification apparatus shown in FIG. 6 acquires plaintext m from a plaintext input unit 21, and acquires a 3D, manifold A(x, y, s, t) defined on the finite field F_(p) as the public key from a public key input unit 24.

When plaintext m is input from the plaintext input unit 21, digital signature verification processing starts (step S201).

The input plaintext m is output to a hash value calculation unit 22, and a hash value is calculated using the same hash function as that used in the signature generation apparatus (step S202). In this example, the hash value is “0×151” as that output by the signature generation apparatus. This hash value is output to a polynomial generation unit 23.

The polynomial generation unit 23 calculates a hash value polynomial h(t) by the same algorithm as in the digital signature generation apparatus (step S203). Therefore, the hash value polynomial h(t) obtained in this step is h(t)=t²+5t+1.

The obtained hash value polynomial h(t) is output to a signature verification unit 26.

A public key storing unit 29 stores the polynomial of the 3D manifold A(x, y, s, t) defined on the finite field F_(p) as the public key generated by the key generation apparatus with the arrangement shown in FIG. 2 or FIG. 8 (to be described later).

The public key input unit 24 reads out the polynomial of the 3D manifold as the public key from the public key storing unit 29, and outputs it to the signature verification unit 26 (step S204). In this example, the 3D manifold given by equation (9), i.e., the public key is input to the signature verification unit 26. The signature verification unit 26 outputs the input public key to an algebraic surface generation unit 27.

The signature verification unit 26 outputs the hash value polynomial h(t) generated in step S203 to the algebraic surface generation unit 27.

The algebraic surface generation unit 27 substitutes the hash value polynomial h(t) output from the signature verification unit 26 in variable s of the 3D manifold to generate algebraic surface X(x, y, t) (step S205). In this case, algebraic surface X(x, y, t) given by:

$\begin{matrix} {{X\left( {x,y,t} \right)} = {{10t^{2}} + {13t^{4}} + y^{2} + {16x^{3}} + {4{xt}^{5}} + {15{xt}^{4}} + {4{xt}^{3}} + {8{xt}} + {16{xt}^{7}} + {6{xt}^{6}} + {5{xt}^{2}} + {10t^{6}} + {10t^{5}} + {8t^{7}} + t^{9} + t^{10}}} & (12) \end{matrix}$

is obtained.

Next, the signature verification unit 26 loads the signature D_(s): (U_(x)(t), U_(y)(t), t) which is given by equation (11) and is input to a signature input unit 25 (step S206). The x-coordinate U_(x)(t)=t³+6t²+6t+1 and the y-coordinate U_(y)(t)=t⁴+5t³+2t²+5t+1 of the D_(s) are substituted in the x- and y-coordinates of algebraic surface X given by equation (12), and are expanded and arranged (step S207). As described above, since the digital signature D_(s) is a divisor of algebraic surface X, substituting and arranging should yield “0”. Therefore, if the substitution result becomes “0” (step S208), “signature verification success” is output to a determination result output unit 28 (step S209). However, if the substitution result does not become “0”, since it means that the digital signature is wrong (step S208), “signature verification failure” is output to the determination result output unit 28 (step S210).

The determination result output unit 28 externally outputs the determination result, thus ending all the processes.

In the example described above, since the digital signature is authentic, the result obtained by substituting the digital signature D_(s) in algebraic surface X and arranging it surely becomes “0”, and the signature verification unit outputs “signature verification success” to the determination result output unit 28, which externally outputs it, thus ending the processing.

The first and second variations are achieved by the same processing in this embodiment.

Note that respective functions (plaintext input unit 21, hash value calculation unit 22, polynomial generation unit 23, public key input unit 24, signature input unit 25, signature verification unit 26, algebraic surface generation unit 27, determination result output unit 28, and the like) shown in FIG. 6 can be implemented when a computer, which comprises a memory 101 that stores various programs and the like, a calculation unit 100 such as a CPU or the like, an output unit 102, an input unit 103, a communication unit 104, and the like that are connected via a bus, executes programs stored in the memory 101, as shown in FIG. 12.

In FIG. 12, the memory 101 stores a plaintext input program, hash value calculation program, polynomial generation program, public key input program, signature input program, signature verification program, algebraic surface generation program, and determination result output program which are respectively used to implement the functions of the plaintext input unit 21, hash value calculation unit 22, polynomial generation unit 23, public key input unit 24, signature input unit 25, signature verification unit 26, algebraic surface generation unit 27, and determination result output unit 28. Also, the memory 101 serves as the public key storing unit 29.

To the signature input unit 25, a digital signature corresponding to message m generated by the digital signature generation apparatus is input.

The second key generation method will be described below. FIG. 8 is a block diagram showing an example of the arrangement of a key generation apparatus using the second key generation method, and FIG. 9 is a flowchart for explaining the processing operation of the key generation apparatus in FIG. 8. The arrangement and processing operation of the key generation apparatus in FIG. 8 will be described below with reference to the flowchart shown in FIG. 9.

A key generation processing start command is sent from an external apparatus or the like to a control unit 1, and the key generation apparatus starts key generation processing (step S301). Upon reception of the command, the control unit 1 requests a prime number generation unit 2 to generate a prime number. In prime number generation, a prime number may be randomly generated. However, since a large prime number need not be used, a prime number may be selected from those of about 6 bits at most randomly or arbitrarily (by means of determining the output order in advance), or a prime number determined in advance in the key generation apparatus may be used. Assume that a prime number p=17 is generated in this case (step S302).

The control unit 1 sends the prime number p to a section generation unit 5, which starts generation of sections. The section generation unit 5 determines x-coordinates u_(x,i)(s, t) and y-coordinates u_(y,i)(s, t) of n sections:

Di(x,y,s,t)=(u _(x,i)(s,t),u _(y,i)(s,t),s,t)

(1≦i≦n)

by the method to be described below.

Initially, a maximum value h_(x) of a degree associated with s of the x-coordinate, and a maximum value k_(x) of a degree associated with t are determined (step S303). That is,

h _(x)=max{deg_(s)(u _(x,i)(s,t))|1≦i≦n}

k _(x)=max{deg_(t)(u _(x,i)(s,t))|1≦i≦n}

In this example, h_(x)=k_(x)=2 for the sake of simplicity.

Next, the control unit 1 requests a polynomial generation unit 3 to generate x-coordinates u_(x,i)(s, t) of sections Di within the range of this degree which include the term s^(hx)t^(kx). Since n=3, the polynomial generation unit 3 randomly and sequentially determines u_(x,1)(s, t), u_(x,2)(s, t), and u_(x,3)(s, t) (step S304). That is, we can obtain:

u _(x,1)(s,t)=2s ² t ²+3s ² t+5s+7

u _(x,2)(s,t)=6s ² t ²+4s ² t+7s+1

u _(x,3)(s,t)=8s ² t ² +s ² t+7st+4

Next, a maximum value h_(y) of a degree associated with s of the y-coordinate, and a maximum value k_(y) of a degree associated with t are determined (step S305) as in step S303. That is,

h _(y)=max{deg_(s)(u _(y,i)(s,t))|1≦i≦n}

k _(y)=max{deg_(t)(u _(y,i)(s,t)|1≦i≦n}

In this example, h_(y)=k_(y)=2 for the sake of simplicity.

Next, the control unit 1 requests the polynomial generation unit 3 to generate y-coordinates u_(y,i)(s, t) of sections Di within the range of this degree which include the term s^(hy)t^(ky). Since n=3, the polynomial generation unit 3 randomly and sequentially determines u_(y,1)(s, t), u_(y,2)(s, t), and u_(y,3)(s, t) (step S306). That is, we can obtain:

u _(y,1)(s,t)=3s ² t ²+10st+2

u _(y,2)(s,t)=9s ² t ²+9st+7s+4

u _(y,3)(s,t)=4s ² t ²+7st+4s+5t+1

As described above, sections Di are generated.

These sections are output to the control unit 1. The control unit 1 outputs these sections to a manifold generation unit 6 to control it to generate a 3D manifold.

The manifold generation unit 6 converts the input u_(x,i)(s, t) and u_(y,i)(s, t) into factors like x-factors (x−u_(x,i)(s, t)) and y-factors (y−u_(y,i)(s, t)) (step S307).

Then, x-factors (x−u_(x,i)(s, t)) and y-factors (y−u_(y,i)(s, t)) whose i assume the identical values are randomly distributed to the left-hand side and right-hand side. The product of n factors distributed to the left-hand side, and that of n factors distributed to the right-hand side are coupled via an equal sign, thus generating a 4-variable (x, y, s, t) polynomial given by:

$\begin{matrix} {{\left( {x - {u_{x,1}\left( {s,t} \right)}} \right)\left( {y - {u_{y,2}\left( {s,t} \right)}} \right)\left( {x - {u_{x,3}\left( {s,t} \right)}} \right)} = {\left( {y - {u_{y,1}\left( {s,t} \right)}} \right)\left( {x - {u_{x,2}\left( {s,t} \right)}} \right)\left( {y - {u_{y,3}\left( {s,t} \right)}} \right)}} & (13) \end{matrix}$

The manifold generation unit 6 requests a polynomial calculation unit 8 to expand equation (13) above via the control unit 1 (or directly).

The polynomial calculation unit 8 expands equation (13) above to hold the respective terms included in the 4-variable polynomial to one of the left-hand side and right-hand side to obtain a 3D manifold A(x, y, s, t) (step S308) which is given by:

$\begin{matrix} {{A\left( {x,y,s,t} \right)} = {9 + {2s^{2}t^{2}} + {10t} + s + s^{2} + {11s^{2}t} + {8x} + {8y} + {13{xys}^{2}t} + {10{xyst}^{2}} + {14s^{2}t^{2}{yx}} + {3s^{2}t^{2}y} + {12{st}} + {7{st}^{2}} + {9{xy}} + {4{xs}} + {13s^{4}t^{4}} + {11s^{3}t^{3}} + {12s^{3}t^{2}} + {5s^{4}t^{3}} + {5{xs}^{2}t^{2}} + {7{xst}} + {7s^{2}{ty}} + {8s^{4}t^{4}y} + {15s^{4}t^{3}y} + {14s^{3}t^{4}y} + {3{xs}^{3}t^{2}} + {11{xs}^{3}t} + {8x^{2}s^{2}t^{2}} + {12{xs}^{3}t^{4}} + {8x^{2}{st}} + {14{xs}^{2}t^{3}} + {3s^{4}t^{2}y} + {4s^{3}t^{3}y} + {s^{3}{yt}^{2}} + {6s^{3}{yt}} + {4s^{2}{tx}} + {12{xst}^{2}} + {15{yst}^{2}} + {6s^{3}t} + {12{sy}} + {7s^{3}t^{4}} + {s^{2}x} + {9s^{4}t^{2}} + {16s^{4}t} + {13x^{2}} + {8s^{2}t^{3}} + {x^{2}y} + {10x^{2}s} + {13s^{6}t^{6}} + {s^{6}t^{5}} + {10s^{5}t^{6}} + {16s^{5}t^{5}} + {15s^{4}t^{5}} + {15s^{5}t^{3}} + {7s^{6}t^{4}} + {13s^{5}t^{2}} + {7{sy}^{2}} + {6s^{2}y} + y^{2} + {12{yt}} + {16{xy}^{2}} + {10s^{4}t^{4}x} + {12s^{3}t^{3}x} + {2s^{4}t^{3}x} + {16{syx}} + {6s^{2}t^{2}y^{2}} + {4s^{2}t^{3}y} + {4s^{2}{ty}^{2}} + {5{xyt}} + {16{syt}} + {7{xt}}}} & (14) \end{matrix}$

The polynomial calculation unit 8 outputs the obtained 3D manifold A(x, y, s, t) to the control unit 1. The control unit 1 outputs the three sections and 3D manifold A(x, y, s, t) as keys to a key output unit 7, which outputs these keys.

Note that the respective functions (control unit 1, prime number generation unit 2, polynomial generation unit 3, polynomial calculation unit 8, section generation unit 5, manifold generation unit 6, key output unit 7, and the like) shown in FIG. 8 can be implemented when a computer, which comprises a memory 101 that stores various programs and the like, a calculation unit 100 such as a CPU or the like, an output unit 102, an input unit 103, a communication unit 104, and the like that are connected via a bus, executes programs stored in the memory 101, as shown in FIG. 13.

In FIG. 13, the memory 101 stores a key generation control program, prime number generation program, polynomial generation program, polynomial calculation program, section generation program, manifold generation program, and key output program which are used to implement the functions of the control unit 1, prime number generation unit 2, polynomial generation unit 3, polynomial calculation unit 8, section generation unit 5, manifold generation unit 6, and key output unit 7.

The secret key and public key output from the key output unit 7 in FIG. 8 are sent to a request source via, e.g., the communication unit 104, or are passed to a digital signature generation apparatus and digital signature verification apparatus (to be described later).

The polynomial generation unit 3 of the key generation apparatus shown in FIG. 8 determines the maximum values of the degrees of variables s and t (the maximum degree h_(x) of variable s of the x-coordinate, the maximum degree k_(x) of variable t of the x-coordinate, the maximum degree h_(y) of variable s of the y-coordinate, and the maximum degree k_(y) of variable t of the y-coordinate) upon generation of a 2-variable polynomial corresponding to the x- and y-coordinates of each section so as to improve the security. Then, the polynomial generation unit 3 generates a 2-variable polynomial which inevitably includes the term s^(hx)t^(kx) for the x-coordinate, and a 2-variable polynomial which inevitably includes the term s^(hy)t^(ky) for the y-coordinate.

However, the embodiment of the invention is not limited to this such case. When a 2-variable polynomial u_(x,i)(s, t) (i: 1≦i≦n) which includes a plurality of monomials each of which has at least one of variable s whose degree is equal to or lower than the maximum value h_(x) and variable t whose degree is equal to or lower than the maximum value k_(x) as a factor, and a 2-variable polynomial u_(y,i)(s, t) (i: 1≦i≦n) which includes, a plurality of monomials each of which has at least one of variable s whose degree is equal to or lower than the maximum value h_(y) and variable t whose degree is equal to or lower than the maximum value k_(y) as a factor, are generated, a 3D manifold having n sections can be generated.

As described above, according to the embodiment, the digital signature generation apparatus on the message sending side stores a finite field F_(p) and section D(u_(x)(s, t), u_(y)(s, t), s, t), whose x- and y-coordinates are expressed by the functions of parameters s and t, of surfaces of a 3D manifold A(x, y, s, t) which is expressed by the x-coordinate, y-coordinate, parameter s, and parameter t, and is defined on the finite field F_(p) in a storing unit as a secret key for signature generation. A calculation unit such as a CPU or the like calculates a hash value of message m, and embeds this hash value in coefficients of 1-variable polynomial h(t) defined on the finite field F_(p) to generate a hash value polynomial. The calculation unit reads out one section from the storing unit and generates a digital signature using that section as a secret key for signature generation. That is, by substituting the hash value polynomial in the s-coordinate of the section, digital signature Ds(U_(x)(t), U_(y)(t), t) as a curve on the section, whose x- and y-coordinate are expressed by the function of parameter t is generated. The digital signature generated in this way is sent to the message receiving side by a sending unit on the message sending side together with the message m.

The storing unit stores a plurality of different sections D_(i)(u_(x,i)(s, t), u_(y,i)(s, t), s, t) (i is an arbitrary positive integer falling within the range 0≦i≦n). Every time a digital signature is generated, one arbitrary section is selected from the plurality of sections D_(i) stored in the storing unit to generate a digital signature, thus improving security.

The digital signature verification apparatus on the message receiving side stores, in a storing unit, a finite field F_(p), and a polynomial of a 3D manifold A(x, y, s, t) which is expressed by the x-coordinate, y-coordinate, parameter s, and parameter t, and is defined on the finite field F_(p), as a public key. Upon reception of message m and digital signature Ds: (U_(x)(t), U_(y)(t), t) corresponding to the message m, a calculation unit such as a CPU or the like calculates a hash value of the message m and embeds this hash value in a 1-variable polynomial h(t) defined on the finite field F_(p) to generate a hash value polynomial. The calculation unit substitutes the hash value polynomial in the s-coordinate of the polynomial of the 3D manifold A(x, y, s, t) as a public key corresponding to the message sending, side from the storing unit, thus calculating algebraic surface X(x, y, t) corresponding, to the hash value. Furthermore, the calculation unit substitutes the digital signature in algebraic surface X(x, y, t) to verify the authenticity of the message and digital signature. That is, after x-coordinate (expressed by the polynomial of variable t) U_(x)(t) of the digital signature is substituted in the x-coordinate of algebraic surface X(x, y, t), and y-coordinate (expressed by the polynomial of variable t) U_(y)(t) of the digital signature is substituted in the y-coordinate of algebraic surface X(x, y, t), the equation is expanded (to express the products of polynomials in the form of the sum of monomials) and arranged. As a result, when this result (the substitution result of the x- and y-coordinates of the digital signature in algebraic surface X(x, y, t)) is “0”, it is verified that message m has not been falsified, and message m is transmitted from an authentic message sender corresponding to the public key (signature verification success).

In the key generation apparatus, a calculation unit such as a CPU or the like generates a first 2-variable polynomial λ_(x)(s, t) for parameters s and t defined on the finite field F_(p), and a second 2-variable polynomial λ_(y)(s, t) which is divisible by the first 2-variable polynomial λ_(x)(s, t), and is defined on the finite field F_(p). Next, the calculation unit generates two 2-variable polynomials u_(x)(s, t) and v_(x)(s, t) which is defined on the finite field F_(p) and whose variable x is expressed by parameters s and t, so that a difference {u_(x)(s, t)−v_(x)(s, t)} of the two 2-variable polynomials is λ_(x)(s, t). Furthermore, the calculation unit generates two 2-variable polynomials u_(y)(s, t) and v_(y)(s, t) which is defined on the finite field F_(p) and whose variable y is expressed by parameters s and t, so that a difference {u_(y)(s, t)−v_(y)(s, t)} of the two 2-variable polynomials is λ_(y)(s, t). The calculation unit then generates section D1: (x, y, s, t)=(u_(x)(s, t), u_(y)(s, t), s, t) which has the 2-variable polynomial u_(x)(s, t) as the X-coordinate and the 2-variable polynomial u_(y)(s, t) as the y-coordinate, and section D2: (x, y, s, t)=(v_(x)(s, t), v_(y)(s, t), s, t) which has the 2-variable polynomial v_(x)(s, t) as the x-coordinate and the 2-variable polynomial v_(y)(s, t) as the y-coordinate. These two sections D1 and D2 serve as secret keys. Also, a 3D manifold A(x, y, s, t) having these two sections D1 and D2 is generated. This 3D manifold A serves as a public key.

In another key generation apparatus, a calculation unit such as a CPU or the like generates n (n is a positive integer), first to n-th (n is a positive integer) 2-variable polynomials u_(x,i)(s, t) (i: 1≦i≦n) for parameters s and t defined on the finite field F_(p), and n (n is a positive integer), first to n-th (n is a positive integer) 2-variable polynomials u_(y,i)(s, t) (i: 1≦i≦n) for parameters s and t defined on the finite field F_(p). The calculation unit generates i-th section Di: (x, y, s, t)=(u_(x,i)(s, t), u_(y,i)(s, t), s, t) (1≦i≦n) which has the generated i-th (1≦i≦n) 2-variable polynomials u_(x,i)(s, t) and u_(y,i)(s, t) as the x- and y-coordinates, thus calculating the n, first to n-th sections Di (1≦i≦n). These n sections serve as secret keys. Furthermore, the calculation unit generates i-th x-factor (x−u_(x,i)(s, t)) and y-factor (y−u_(y,i)(s, t)) using the generated i-th (1≦i≦n) 2-variable polynomials u_(x,i)(s, t) and u_(y,i)(s, t), thus calculating the first to n-th x- and y-factors. The calculation unit distributes the generated i-th (1≦i≦n) x- and y-factors to the left-hand side and right-hand side, and the product of n x- and y-factors distributed to the left-hand side and that of n x- and y-factors distributed to the right-hand side are coupled via an equal sign to generate an equation. The calculation unit expands this generated equation to generate a polynomial of a 3D manifold A(x, y, s, t) as a public key.

In this manner, the digital signature system based on the public-key cryptosystem according to the embodiment can generate a robust digital signature which has high security and reliability, and generation can be implemented by a small computation amount. 

1.-18. (canceled)
 19. A digital signature verification apparatus comprising: a memory to store a finite field F_(q) and a polynomial of a three-dimensional manifold A(x, y, s, t) which is expressed by an x-coordinate, a y-coordinate, a parameter s, and a parameter t and is defined on the finite field F_(q); a first input unit configured to input a message m; a second input unit configured to input a digital signature Ds: (U_(x)(t), U_(y)(t), t) corresponding to the message m, the digital signature being a curve on a section D(u_(x)(s, t), u_(y)(s, t), s, t) which is one of surfaces of the three-dimensional manifold A(x, y, s, t), the x-coordinate and y-coordinate of the section being expressed by functions of the parameter t, the digital signature being generated by using the section as a secret key; a first calculation unit configured to calculate a hash value of the message m; a generation unit configured to generate a hash value polynomial by embedding the hash value in a 1-variable polynomial for the parameter t defined on the finite field F_(q); a second calculation unit configured to calculate an algebraic surface X(x, y, t) corresponding to the hash value by substituting the hash value polynomial in the parameter s of the polynomial stored in the memory; and a verification unit configured to verifying authenticity of the message and the digital signature by substituting a function U_(x)(t) representing the x-coordinate of the digital signature and a function U_(y)(t) representing the y-coordinate of the digital signature in an x-coordinate and a y-coordinate, respectively, of the algebraic surface X(x, y, t).
 20. A digital signature verification method including: storing, in a memory, a finite field F_(q) and a polynomial of a three-dimensional manifold A(x, y, s, t) which is expressed by an x-coordinate, a y-coordinate, a parameter s, and a parameter t and is defined on the finite field F_(q); inputting a message m; inputting a digital signature Ds: (U_(x)(t), U_(y)(t), t) corresponding to the message m, the digital signature being a curve on a section D(u_(x)(s, t), u_(y)(s, t), s, t) which is one of surfaces of the three-dimensional manifold A(x, y, s, t), the x-coordinate and y-coordinate of the section being expressed by functions of the parameter t, the digital signature being generated by using the section as a secret key calculating a hash value of the message m; generating a hash value polynomial by embedding the hash value in a 1-variable polynomial for the parameter t defined on the finite field F_(q); calculating an algebraic surface X(x, y, t) corresponding to the hash value by substituting the hash value polynomial in the parameter s of the polynomial stored in the memory; and verifying authenticity of the message and the digital signature by substituting a function U_(x)(t) representing the x-coordinate of the digital signature and a function U_(y)(t) representing the y-coordinate of the digital signature in an x-coordinate and a y-coordinate, respectively, of the algebraic surface X(x, y, t).
 21. A digital signature verification program stored on a computer readable medium, the program including: first program instruction means for instructing a computer processor to store, in a memory, a finite field F_(q) and a polynomial of a three-dimensional manifold A(x, y, s, t) which is expressed by an x-coordinate, a y-coordinate, a parameter s, and a parameter t and is defined on the finite field F_(q); second program instruction means for instructing the computer processor to input a message m; third program instruction means for instructing the computer processor to input a digital signature Ds: (U_(x)(t), U_(y)(t), t) corresponding to the message m, the digital signature being a curve on a section D(u_(x)(s, t), u_(y)(s, t), s, t) which is one of surfaces of the three-dimensional manifold A(x, y, s, t), the x-coordinate and y-coordinate of the section being expressed by functions of the parameter t, the digital signature being generated by using the section as a secret key; fourth program instruction means for instructing the computer processor to calculate a hash value of the message m; fifth program instruction means for instructing the computer processor to generate a hash value polynomial by embedding the hash value in a 1-variable polynomial for the parameter t defined on the finite field F_(q); sixth program instruction means for instructing the computer processor to calculate an algebraic surface X(x, y, t) corresponding to the hash value by substituting the hash value polynomial in the parameter s of the polynomial stored in the memory; and seventh program instruction means for instructing the computer processor to verify authenticity of the message and the digital signature by substituting a function U_(x)(t) representing the x-coordinate of the digital signature and a function U_(y)(t) representing the y-coordinate of the digital signature in an x-coordinate and a y-coordinate, respectively, of the algebraic surface X(x, y, t). 